Bill: No, you’ve got to show me some evidence. This cannot just be a cynical arse-covering attempt by the Cards Schemes based on dodgy security principles and poorly thought out practices.

Ben: Lob’a’flob

Bill: Surely not – You mean that with the vast majority of (hacker) attacks occurring in the application space, there is no requirement for comprehensive pre-production application level pen-testing? What about 11.3.2?

Ben: Flob’a’dob

Bill: Oh I see: “significant … application upgrade or modification” and then all the examples they give are for infrastructure changes. Yes, and I do remember that it is often the small or emergency changes, that will have been through less QA, that cause issues.

Ben: Lob’a’flob’a’dob.

Bill: I didn’t know that. You mean that the Cards Schemes are considering the forensic recovery from disk of CCV2 values associated with PANs as fully probative evidence of a breach of 3.2.2? Haven’t they ever heard of asynchronous comms? Oh well, have you seen Weed anywhere?

What Bill is hinting at, here, is the weird contradiction between the requirement of 3.2.2 and the requirement to actually authenticate the transaction: at some point all of the transaction data captured is going to be assembled, encrypted and sent, by a normal asynchronous comms method, to the acquiring bank or financial institution. It will be kept in, probably in memory, until the accept / deny message (and the authorisation code) comes back. The computer is likely to suspend the relevant process / thread and there is a chance that this will mean that the memory is paged onto disk storage. Ergo, unless there is a requirement for the assembly to take place in a Hardware Security Module (expensive, and introduce security management issues of their own), any computer which is regularly used to process cards transactions is likely to have, somewhere on disk storage that was once used as virtual memory, multiple instances all of the sensitive card and transaction data. Without any intent to breach Section 3.2 or even with good technical and procedural measures to comply with it.

Sometimes, my job just makes me cry. Oh, and a little birdie told me that the auditing practices are so rigid for this standard that nearly no company can pass 1st time round, so it is another great money-spinner (and reputation killer) for the information security industry.

Protect Your Bits

Nothing You Wanted to Know

A classical liberal & modern libertarian, economically laissez faire, and a governmental minimalist. Somewhat surprised to find this puts me way to the right of Chingis Khan.
Really, really pissed off at the endemic stupidity of the British governing cliques. Sometimes lets his potty mouth get the better of him.